Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebTechGlobal RomanCart romancart-on-wordpress allows Reflected XSS.This issue affects RomanCart: from n/a through <= 0.0.2.
Published: 2025-02-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The RomanCart on WordPress plugin contains an improper neutralization of input during web page generation, allowing attackers to inject malicious scripts into pages viewed by users. Attackers can craft a URL that triggers the reflected XSS, potentially leading to session hijacking, defacement, or phishing attacks against users of sites running the affected plugin. This weakness is identified as CWE‑79 and carries a CVSS score of 7.1.

Affected Systems

Affected systems are WordPress sites that have the RomanCart by WebTechGlobal plugin version 0.0.2 or earlier.

Risk and Exploitability

The vulnerability has a moderate CVSS score of 7.1 and an EPSS score of less than 1 %, indicating a low probability of exploitation at this time. It is not currently listed in CISA’s KEV catalog. Exploitation requires a user to visit a crafted URL on a site that hosts the vulnerable plugin, making it a remote, user‑interaction attack.

Generated by OpenCVE AI on May 1, 2026 at 17:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RomanCart to the latest version (0.0.3 or newer) that removes the reflected XSS flaw.
  • If an upgrade is not immediately possible, temporarily disable or deactivate the RomanCart plugin on all affected WordPress sites until a patched version is deployed.
  • Consider replacing RomanCart with an alternative, more secure shopping‑cart plugin, or apply a web‑application firewall rule to block malicious XSS payloads until the plugin can be removed or updated.

Generated by OpenCVE AI on May 1, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3343 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound RomanCart allows Reflected XSS. This issue affects RomanCart: from n/a through 0.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 03 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound RomanCart allows Reflected XSS. This issue affects RomanCart: from n/a through 0.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebTechGlobal RomanCart romancart-on-wordpress allows Reflected XSS.This issue affects RomanCart: from n/a through <= 0.0.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00035}

 epss

{'score': 0.00045}

Mon, 03 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound RomanCart allows Reflected XSS. This issue affects RomanCart: from n/a through 0.0.2.
Title WordPress RomanCart On WordPress plugin <= 0.0.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:28:39.915Z

Reserved: 2025-01-16T11:28:15.068Z

Link: CVE-2025-23685

cve-icon Vulnrichment

Updated: 2025-02-03T16:06:57.029Z

cve-icon NVD

Status : Deferred

Published: 2025-02-03T15:15:22.420

Modified: 2026-06-17T08:56:22.727

Link: CVE-2025-23685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:00:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')